Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild

Cybersecurity researchers have issued an urgent warning regarding a critical remote code execution (RCE) vulnerability in ShowDoc, an online documentation and collaboration platform widely used by IT and development teams.

The flaw, tracked as CNVD-2020-26585, is currently being actively exploited in the wild, putting thousands of unpatched deployments at serious risk.

Unauthenticated RCE through File Upload

The vulnerability stems from an unrestricted file upload mechanism affecting ShowDoc versions before 2.8.7.

According to technical analyses and proof-of-concept (PoC) exploits shared on the Vulhub repository, the flaw allows unauthenticated attackers to upload arbitrary files without proper validation or sanitization.

Because the vulnerable endpoint does not require login authentication, malicious actors can directly upload PHP webshells or other backdoors by sending crafted HTTP POST requests to the /index.php?s=/home/page/uploadImg path.

Attackers commonly disguise payloads with deceptive filenames such as test.<>php to bypass weak file extension filters.

Once uploaded, the server automatically returns a URL pointing to the malicious file. When the attacker visits that URL, the payload executes, granting full remote code execution capabilities on the system.

Security analysts warn that exploiting this flaw is alarmingly simple and requires minimal technical expertise.

Once a webshell is deployed, attackers can execute arbitrary commands, exfiltrate sensitive internal documentation, move laterally across internal networks, or deploy additional malware like ransomware.

The PoC hosted on Vulhub confirms successful code execution, underscoring the vulnerability’s severity.

Given ShowDoc’s popularity among software teams for storing API documents and configuration details, exploitation could expose critical infrastructure secrets and facilitate broader supply chain attacks.

Administrators operating vulnerable ShowDoc instances are urged to act immediately to mitigate potential compromise.

Key defensive measures include:

• Upgrade to ShowDoc version 2.8.7 or later, which includes the official security patch.
• Restrict external access to internal documentation servers by isolating them behind VPNs or secure gateways.
• Deploy a Web Application Firewall (WAF) to detect and block malicious POST requests to upload endpoints.
• Monitor access logs closely for unusual file types, unauthorized uploads, or unexpected PHP execution activity.

Security professionals emphasize that even though CNVD-2020-26585 is a known vulnerability, the continued exploitation of outdated versions highlights the urgency of consistent patch management and perimeter hardening.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical ShowDoc RCE Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.